I just got word from Dave Paris, he'll be releasing Crypt::Blowfish 2.09
with the patch below applied - should be on CPAN mirrors today or tomorrow.
Regards,
Vlad Jebelev
On Tue, 13 Nov 2001, Vlad Jebelev wrote:
> The author of Crypt::Blowfish changed the default key size to 8 (from 0) in
> the latest version - and at the same time Crypt::CBC has logic that will
> either use a value returned by Crypt::Blowfish (if it's more than 0) or
> default to 56 bytes.
>
> So, the server OpenSRS code (running Crypt::Blowfish 2.06) uses 56 bytes for
> the key size and if the client side uses the 2.08 version, then it will now
> use 8 bytes for the key -> the client won't authenticate. Of course, upgrading
> our server to the new version won't help either since then the clients using
> the older versions of Crypt::Blowfish won't work.
>
> I wrote the author of Crypt::CBC about this, meanwhile either use the 2.06
> version for now or apply this patch against the 2.08 version of Blowfish.pm:
>
> --- Blowfish.orig Tue Nov 13 01:19:45 2001
> +++ Blowfish.pm Tue Nov 13 01:20:24 2001
> @@ -31,7 +31,7 @@
>
>
> sub blocksize { 8; } # /* byte my shiny metal.. */
> -sub keysize { 8; } # /* we'll leave this at 8 .. for now. expect
> change. */
> +sub keysize { 0; } # /* we'll leave this at 8 .. for now. expect
> change. */
> sub min_keysize { 8; }
> sub max_keysize { 56; }
>
>
> Regards,
> Vlad
>
>
> On Mon, 12 Nov 2001, Charles Daminato wrote:
>
> > This just came out, turns out it doesn't (yet) work with our servers,
> > which are running 2.06
> >
> > We'll be running some tests to determine if upgrading the server does not
> > affect clients running older versions of Blowfish. In the interim, you
> > can get the older working version here:
> >
> > http://cpan.valueclick.com/authors/id/D/DP/DPARIS/
> >
> > Charles Daminato
> > TUCOWS Product Manager
> > [EMAIL PROTECTED]
> >
> >
>
>
